Virtru and FIPS 140-2 compliance

Virtru’s encryption complies with FIPS 140-2, but not always by default. Customers should make sure to request Virtru with FIPS mode enabled to ensure FIPS 140-2 compliance across all Virtru platforms.

We use 3rd party AES-256 encryption libraries that have been certified by or for companies such as Google, Apple and Microsoft (more details below). As such, Virtru has not been required to go through a validation directly.

The Certificates for the certified Cryptographic Libraries are all listed here. The certificate numbers in question depend on platform and are listed below:

*Upon request, we can enable FIPS mode in Virtru’s Chrome extension, but that platform does not use a FIPS module by default today.

Virtru also requires all connections to enforce "Elliptic curve Diffie-Hellman" - or ECDHE - to protect the confidentiality of communication channels, including key exchanges. This is not required under FIPS, but is considered the very best practice available.